counter

Tuesday, October 11, 2011

Unpacking Custom Packers

There are several articles on internet about unpacking Packed Executables. Most demonstrate the ESP trick. This trick may not work in most packers. These days most malwares use custom packers which are created using some toolkit. You can find lot of malwares of such type like Zbot, SpyeEye, Cycbot.

How PE Packers work

PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would

1)Decompress the compressed code:

To do this usually it allocates some space using VirtualAlloc(),ZwAllocateVirtualMemory().Then it will decompress the data to the allocated memory.

2)Fixes the imports:

The imports are fixed so the malware can use the imported API’s . To resolve the import addresses it will use the API’ GetProcAddress() .

3)Jump to OEP:

Finally jumps to the OEP where the the actual malware code begins. Many malwares use multilevel packers.

How to Unpack:

We can set breakpoint on VirtualAlloc() first then after the breakpoint is hit we can remove the breakpoint on VirtualAlloc() and set breakpoint GetProcAddress().

We see that GetProcAddress() would be called repetedly in the loop. This loop is used to resolve all the API’s in the dll. We bypass the loop after that continue debugging.

After few lines of codes we will reach the OEP.

DEMO:

I have taken a sample of SpyEye for the demo.

I had set breakpoint on VirtualAlloc()

Then I set breakpoint on GetProcAddress() and break at the following

We see that getProcAddress is called in loop. We bypass the loop and little below u can see a jump seems like jump to OEP.

I follow the jump

This is another layer of packer .

The trick applies to most packers. May not work in case packers combined with protectors like asprotect.